Important: After changing
properties in the dse.yaml file, you must restart the node for the
changes to take effect.

Package installations

/etc/dse/dse.yaml

Tarball installations

installation_location/resources/dse/conf/dse.yaml

The cassandra.yaml file is the primary
configuration file for the DataStax Enterprise database.

Syntax

For the properties in each section, the parent setting has zero
spaces. Each child entry requires at least two spaces. Adhere to the YAML syntax
and retain the spacing. For example, no spaces before the parent
node_health_options entry, and at least two spaces before the child
settings:

Authentication options

Authentication options for
the DSE Authenticator that allows you to use multiple schemes for authentication in a
DataStax Enterprise cluster. Additional authenticatorconfiguration is required in cassandra.yaml.

Options for the DseAuthenticator to authenticate users when the authenticator option
in cassandra.yaml is set to
com.datastax.bdp.cassandra.auth.DseAuthenticator. Authenticators other than
DseAuthenticator are not supported.

enabled

Enables user authentication.

true - The DseAuthenticator authenticates users.

false - The DseAuthenticator does not authenticate users and allows all
connections.

When not set, the default is
false.

Default: commented out false

default_scheme

Sets the first scheme to validate a user against when the driver does not request a
specific scheme.

List of schemes that are also checked if validation
against the first scheme fails and no scheme was specified by the driver. Same
scheme names as default_scheme.

scheme_permissions

Whether roles need to have permission granted to them in order to use specific
authentication schemes. These permissions can be granted only when the DseAuthorizer
is used. Set to one of the following values:

true - Use multiple schemes for authentication. Every role requires permissions
to a scheme in order to be assigned.

false - Do not use multiple schemes for authentication. Prevents unintentional
role assignment that might occur if user or group names overlap in the
authentication service.

Controls whether DIGEST-MD5 authentication is also allowed with Kerberos. The
DIGEST-MD5 mechanism is not directly associated with an authentication scheme, but is
used by Kerberos to pass credentials between nodes and jobs.

true - DIGEST-MD5 authentication is also allowed with Kerberos. In analytics
clusters, set to true to use Hadoop inter-node authentication with Hadoop and
Spark jobs.

false - DIGEST-MD5 authentication is not used with Kerberos.

Analytics nodes require true to use internode authentication with Hadoop and
Spark jobs. When not set, the default is
true.

Default: commented out (true)

plain_text_without_ssl

Controls how the DseAuthenticator responds to plain text authentication requests
over unencrypted client connections. Set to one of the following values:

block - Block the request with an authentication error.

warn - Log a warning about the request but allow it to continue.

allow - Allow the request without any warning.

Default: commented out (warn)

transitional_mode

Whether to enable transitional mode for temporary use during authentication setup in
an already established environment.

Transitional mode allows access to the database
using the anonymous role, which has all permissions except
AUTHORIZE.

disabled - Transitional mode is disabled. All connections must provide valid
credentials and map to a login-enabled role.

permissive - Only super users are authenticated and logged in. All other
authentication attempts are logged in as the anonymous user.

normal - Allow all connections that provide credentials. Maps all
authenticated users to their role AND maps all other connections to
anonymous.

strict - Allow only authenticated connections that map to a login-enabled role
OR connections that provide a blank username and password as
anonymous.

Important: Credentials are required for all connections after
authentication is enabled; use a blank username and password to login with
anonymous role in transitional mode.

ldap - Scheme that assigns roles by looking up the user name in LDAP and mapping
the group attribute (ldap_options) to an internal role name. To configure an LDAP scheme,
complete the steps in Defining an LDAP scheme.

Attention: Internal role management allows nesting
roles for permission management; when using LDAP mode role, nesting is disabled.
Using GRANT role_name TO
role_name results in an error.

Kerberos options

Options to configure security for a DataStax Enterprise cluster using Kerberos.

keytab

The file path of dse.keytab.

service_principal

The service_principal that the DataStax Enterprise process runs under must use the
form dse_user/_HOST@REALM, where:

dse_user is the name of the user that starts the DataStax Enterprise
process.

_HOST is converted to a reverse DNS lookup of the broadcast address.

REALM is the name of your Kerberos realm. In the Kerberos
principal, REALM must be uppercase.

http_principal

The http_principal is used by the Tomcat application
container to run DSE Search. The Tomcat web server uses the GSSAPI mechanism
(SPNEGO) to negotiate the GSSAPI security mechanism (Kerberos). Set
REALM to the name of your Kerberos realm. In the Kerberos
principal, REALM must be uppercase.

qop

A comma-delimited list of Quality of Protection (QOP) values that
clients and servers can use for each connection. The client can have multiple QOP
values, while the server can have only a single QOP value. The valid values
are:

Encryption using auth-conf is separate and independent of
whether encryption is done using SSL. If both auth-conf and SSL are enabled, the
transmitted data is encrypted twice. DataStax recommends choosing only one
method and using it for both encryption and authentication.

LDAP options

Define LDAP options to authenticate users against an external LDAP service and/or for
Role Management using LDAP group look up.

Warning: Do not create/use an LDAP account or group called
cassandra. The DSE database comes with a default login role,
cassandra, that has access to all database objects and uses the
consistency level QUOROM.

When not set, an anonymous bind is used for the
search on the LDAP server.

Default: commented out

search_password

The password of the search_dn
account.

Default: commented out

use_ssl

Whether to use an SSL-encrypted connection.

true - use an SSL-encrypted connection, set server_port to the LDAP port for the
server (typically port 636)

false - do not enable SSL connections to the LDAP server

Default: commented out (false)

use_tls

Whether to enable TLS connections to the LDAP server.

true - enable TLS connections to the LDAP server, set server_port to the TLS port of the
LDAP server.

false - do not enable TLS connections to the LDAP server

Default: commented out (false)

truststore_path

The path to the truststore for SSL
certificates.

Default: commented out

truststore_password

The password to access the trust store.

Default: commented out

truststore_type

The type of truststore.

Default: commented out (jks)

user_search_base

Distinguished name (DN) of the object to start the recursive
search for user entries for authentication and role management memberof searches.
For example to search all users in example.com,
ou=users,dc=example,dc=com.

For your LDAP domain, set the ou and dc
elements. Typically set to
ou=users,dc=domain,dc=top_level_domain.
For example, ou=users,dc=example,dc=com.

Attribute that contains a list of group names; role manager assigns DSE roles that
exactly match any group name in the list. Required when managing roles using
group_search_type: memberof_search with LDAP (role_manager.mode:ldap). The
directory server must have memberof support, which is a default user attribute in
Microsoft Active Directory (AD).

Default: commented out (memberof)

group_search_type

Required when managing roles with LDAP (role_manager.mode: ldap).
Define how group membership is determined for a user. Choose from one of the following
values:

directory_search - Filters the results by doing a subtree search of group_search_base to find
groups that contain the user name in the attribute defined in the group_search_filter.
(Default)

memberof_search - Recursively search for user entries using the
user_search_base and user_search_filter. Get
groups from the user attribute defined in
user_memberof_attribute. The directory server must have memberof
support.

Default: commented out (directory_search)

group_search_base

The unique distinguished name (DN) of the group record
from which to start the group membership search on.

Default: commented out

group_search_filter

Set to any valid LDAP filter.

Default: commented out (uniquemember={0})

group_name_attribute

The attribute in the group record that contains the LDAP group name. Role names are
case-sensitive and must match exactly on DSE for assignment. Unmatched groups are
ignored.

Default: commented out (cn)

credentials_validity_in_ms

The duration period of the credentials cache.

0 - disable credentials cache

duration period in milliseconds - enable a search cache and improve performance
by reducing the number of requests that are sent to the LDAP server

When not set, the default is 0
(disabled).

Default: commented out (0)

search_validity_in_seconds

The duration period for the search cache.

0 - disable search credentials cache

duration period in seconds - enables a search cache and improves performance by
reducing the number of requests that are sent to the LDAP server

Default: commented out (0, disabled)

connection_pool

The configuration settings for the connection pool for
making LDAP requests.

max_active

The maximum number of active connections to the LDAP
server.

Default: commented out (8)

max_idle

The maximum number of idle connections in the pool
awaiting
requests.

Default: commented out (8)

Encrypt sensitive system resources

Options to encrypt sensitive system resources using a local encryption key or a remote
KMIP key.

Note: The system_trace keyspace is
NOT encrypted by enabling the system_information_encryption
section. In environments that also have tracing enabled, manually configure
encryption with compression on the system_trace keyspace. See Transparent data encryption.

Default: false

cipher_algorithm

The name of the JCE cipher algorithm used to encrypt system resources.

Path to the directory where local encryption/decryption key files are stored, also
called system keys. Distribute the system keys to all nodes in the cluster. Ensure
that the DSE account is the folder owner and has read/write (600) permissions.

KMIP encryption options

Options for KMIP encryption keys and communication between the DataStax Enterprise node
and the KMIP key server or key servers. Enables DataStax Enterprise encryption features to
use encryption keys that stored on a server that is not running DataStax
Enterprise.

The unique name of the KMIP host/cluster that is specified in the table schema. A
user-defined name for a group of options to configure a
KMIP server or servers, key settings, and certificates. Configure options for a
kmip_groupname section for each KMIP key server or group of
KMIP key servers. Using separate key server configuration settings allows use of
different key servers to encrypt table data, and eliminates the need to enter key
server configuration information in DDL statements and other configurations.
Multiple KMIP hosts are supported.

Default: commented out

hosts

A comma-separated list KMIP hosts
(host[:port]) using the FQDN (Fully
Qualified Domain Name). DSE queries the host in the listed order, so add KMIP hosts
in the intended failover sequence.

For example, if the host list contains
kmip1.yourdomain.com, kmip2.yourdomain.com, DSE tries
kmip1.yourdomain.com and then
kmip2.yourdomain.com.

keystore_path

The path to a Java keystore created from the KMIP agent PEM files.

Default: commented out (/etc/dse/conf/KMIP_keystore.jks)

keystore_type

The type of keystore.

Default: commented out (jks)

keystore_password

The password to access the
keystore.

Default: commented out (password)

truststore_path

The path to a Java truststore that was created using the KMIP root certificate.

Default: commented out (/etc/dse/conf/KMIP_truststore.jks)

truststore_type

The type of truststore.

Default: commented out (jks)

truststore_password

The password to access the
truststore.

Default: commented out (password)

key_cache_millis

Milliseconds to locally cache the encryption keys that are read from the KMIP hosts.
The longer the encryption keys are cached, the fewer requests are made to the KMIP key
server, but the longer it takes for changes, like revocation, to propagate to the
DataStax Enterprise node. DataStax Enterprise uses concurrent encryption, so multiple
threads fetch the secret key from the KMIP key server at the same time. DataStax
recommends using the default value.

DSE In-Memory options

To use the DSE In-Memory, choose one of these options to specify how much
system memory to use for all in-memory tables: fraction or size.

# max_memory_to_lock_fraction: 0.20
# max_memory_to_lock_mb: 10240

max_memory_to_lock_fraction

A fraction of the system memory. The default value of 0.20 specifies to use up to 20%
of system memory. This max_memory_to_lock_fraction value is ignored if
max_memory_to_lock_mb is set to a non-zero value. To specify a fraction, use instead of
max_memory_to_lock_mb.

The amount of continuous uptime required for the node's uptime score to advance the
node health score from 0 to 1 (full health),
assuming there are no recent dropped mutations. The health score is a composite score
based on dropped mutations and uptime.

Tip:If a
node is repairing after a period of downtime, you might want to increase the uptime
period to the expected repair time.

Default: commented out (10800 3 hours)

dropped_mutation_window_minutes

The historic time window over which the rate of dropped mutations affect the node
health score.

Section of options to control the schedulers in charge of querying for and removing
expired records, and the execution of the checks.

fix_rate_period

Time interval to check for expired data in seconds.

Default: 300

initial_delay

The number of seconds to delay the first TTL check to speed up start-up time.

Default: 20

max_docs_per_batch

The maximum number of documents to check and delete per batch by the TTL rebuild
thread. All documents determined to be expired are deleted from the index during each
check, to avoid memory pressure, their unique keys are retrieved and deletes issued in
batches.

Default: 4096

thread_pool_size

The maximum number of cores that can execute TTL cleanup concurrently. Set the
thread_pool_size to manage system resource consumption and prevent many search cores
from executing simultaneous TTL deletes.

The current workload is an analytics workload, including SearchAnalytics.
SearchAnalytics nodes always use driver paging settings.

The cqlsh query parameter paging is set to driver.

Even when
cql_solr_query_paging: off, paging is dynamically enabled
with the "paging":"driver" parameter in JSON queries.

When not set, the default is off.

Default: commented out (off)

Solr CQL query option

Available option for CQL Solr
queries.

cql_solr_query_row_timeout: 10000

cql_solr_query_row_timeout

The maximum time in milliseconds to wait for each row to be read from the database
during CQL Solr queries.

Default: commented out (10000 10 seconds)

DSE Search resource upload limit

solr_resource_upload_limit_mb: 10

solr_resource_upload_limit_mb

Option to disable or configure the maximum file size of the search index config or
schema. Resource files can be uploaded, but the search index config and schema are
stored internally in the database after upload.

Shard transport options

Timeout behavior during distributed queries. The internal timeout for all search
queries to prevent long running queries. The client request timeout is the maximum
cumulative time (in milliseconds) that a distributed search request will wait idly
for shard responses.

The maximum number of queued partitions during search index rebuilding and
reindexing. This maximum number safeguards against excessive heap use by the indexing
queue. If set lower than the number of threads per core (TPC), not all TPC threads can
be actively indexing.

Default: commented out (1024)

flush_max_time_per_core

The maximum time, in minutes, to wait for the flushing of asynchronous index updates
that occurs at DSE Search commit time or at flush time. Expert level knowledge is
required to change this value. Always set the value reasonably high to ensure flushing
completes successfully to fully sync DSE Search indexes with the database data. If the
configured value is exceeded, index updates are only partially committed and the
commit log is not truncated which can undermine data durability.

Note: When a timeout
occurs, it usually means this node is being overloaded and cannot flush in a timely
manner. Live indexing increases the time to flush asynchronous index updates.

Default: commented out (5)

load_max_time_per_core

The maximum time, in minutes, to wait for each DSE Search index to load on startup
or create/reload operations. This advanced option should be changed only if exceptions
happen during search index loading. When not set, the default is 5
minutes.

The Apache Lucene® field cache is deprecated. Instead, for fields that are sorted,
faceted, or grouped by, set docValues="true" on the field in the search index schema.
Then reload the search index and reindex. When not set, the default is false.

Default: commented out (false)

ram_buffer_heap_space_in_mb

Global Lucene RAM buffer usage threshold for heap to force segment flush. Setting
too low might induce a state of constant flushing during periods of ongoing write
activity. For NRT, forced segment flushes also de-schedule pending auto-soft commits
to avoid potentially flushing too many small segments. When not set, the default is
1024.

Default: commented out (1024)

ram_buffer_offheap_space_in_mb

Global Lucene RAM buffer usage threshold for offheap to force segment flush. Setting
too low might induce a state of constant flushing during periods of ongoing write
activity. For NRT, forced segment flushes also de-schedule pending auto-soft commits
to avoid potentially flushing too many small segments. When not set, the default is
1024.

Default: commented out (1024)

Performance Service options

Global Performance Service options

Available options to configure the thread pool that is used by most plug-ins. A dropped
task warning is issued when the performance service requests more tasks than
performance_max_threads + performance_queue_capacity. When a task is dropped, collected
statistics might not be current.

Number of background threads used by the performance service under normal
conditions. Default: 4

performance_max_threads

Maximum number of background threads used by the performance service.

performance_queue_capacity

The number of queued tasks in the backlog when the number of
performance_max_threads are busy. Default: 32000

Performance Service options

These settings are used by the Performance Service to configure collection of performance
metrics on transactional nodes. Performance metrics are stored in the dse_perf keyspace
and can be queried with CQL using any CQL-based utility, such as cqlsh or any application using a CQL driver. To temporarily make changes for
diagnostics and testing, use the dsetool perf
subcommands.

Time interval, in milliseconds, between subsequent retries by the Spark plugin for
Spark Master and Worker readiness to start. Default: 1000

resource_manager_options

DataStax Enterprise can control the memory and cores offered by particular Spark
Workers in semi-automatic fashion. You can define the total amount of physical
resources available to Spark Workers, and optionally add named work pools with
specific resources dedicated to them.

worker_options

If the option is not specified, the default value 0.6 is used. The amount of system
resources that are made available to the Spark Worker.

cores_total

If the option is not specified, the default value 0.7 is used. The number of total
system cores available to Spark. This setting can be the exact number of cores or a
decimal of the total system cores.

When the value is expressed as a decimal, the
available resources are calculated in the following
way:

Spark Worker cores = cores_total * total system cores

The
lowest value that you can assign to Spark Worker cores is 1 core. If the results are
lower, no exception is thrown and the values are automatically limited.

Note: Setting cores_total or a workpool's
cores to 1.0 is a decimal value, meaning 100% of the available
cores will be reserved. Setting cores_total or
cores to 1 (no decimal point) is an explicit value, and one
core will be reserved.

memory_total

The amount of total system memory available to Spark. This setting can be the exact
amount of memory or a decimal of the total system memory. When the value is an
absolute value, you can use standard suffixes like M for megabyte and G for
gigabyte.

When the value is expressed as a decimal, the available resources are
calculated in the following
way:

The
lowest values that you can assign to Spark Worker memory is 64 MB. If the results
are lower, no exception is thrown and the values are automatically limited. If the
option is not specified, the default value 0.6 is used.

workpools

Named work pools that can use a portion of the total resources defined under
worker_options. A default work pool named default
is used if no work pools are defined in this section. If work pools are defined, the
resources allocated to the work pools are taken from the total amount, with the
remaining resources available to the default work pool. The total
amount of resources defined in the workpools section must not exceed
the resources available to Spark in worker_options.

A work pool named alwayson_sql is created by default for AlwaysOn
SQL. By default, it is configured to use 25% of the resources available to Spark.

name

The name of the work pool.

cores

The number of system cores to use in this work pool expressed as either an absolute
value or a decimal value. This option follows the same rules as
cores_total.

memory

The amount of memory to use in this work pool expressed as either an absolute value
or a decimal value. This option follows the same rules as
memory_total.

spark_ui_options

Specify the source for SSL settings for Spark Master and Spark Worker UIs. The
spark_ui_options apply only to Spark daemon UIs, and do not apply to user applications
even when the user applications are run in cluster mode.

blank or commented out (#) - DSEFS will start only if the node is configured to
run analytics workloads.

Default: commented out (blank)

keyspace_name

The keyspace where the DSEFS metadata is stored. You can optionally configure
multiple DSEFS file systems within a single datacenter by specifying different
keyspace names for each cluster.

Default: commented out (dsefs)

work_dir

The local directory for storing the local node metadata, including the node
identifier. The volume of data stored in this directory is nominal and does not
require configuration for throughput, latency, or capacity. This directory must not be
shared by DSEFS nodes.

Default: commented out (/var/lib/dsefs)

public_port

The public port on which DSEFS listens for clients.

Note: DataStax recommends that all nodes in the cluster have the
same value. Firewalls must open this port
to trusted clients. The service on this port is bound to the native_transport_address.

Default: commented out (5598)

private_port

The private port for DSEFS inter-node communication.

CAUTION: Do not open this port to firewalls; this
private port must be not visible from outside of the cluster.

Default: commented out (5599)

data_directories

One or more data locations where the DSEFS data is stored.

- dir

Mandatory attribute to identify the set of directories. DataStax recommends
segregating these data directories on physical devices that are different from the
devices that are used for DataStax Enterprise. Using multiple directories on JBOD
improves performance and capacity.

Default: commented out (/var/lib/dsefs/data)

storage_weight

The weighting factor for this location specifies how much data to place in this
directory, relative to other directories in the cluster. This soft constraint
determines how DSEFS distributes the data. For example, a directory with a value of
3.0 receives about three times more data than a directory with a value of 1.0.

Default: commented out (1.0)

min_free_space

The reserved space, in bytes, to not use for storing file data blocks. You can use a
unit of measure suffix to specify other size units. For example: terabyte (1 TB),
gigabyte (10 GB), and megabyte (5000 MB).

Default: commented out (5368709120)

Advanced properties for DSEFS

service_startup_timeout_ms

Wait time, in milliseconds, before the DSEFS server times out while waiting for
services to bootstrap.

Default: commented out (30000)

service_close_timeout_ms

Wait time, in milliseconds, before the DSEFS server times out while waiting for
services to close.

Default: commented out (600000)

server_close_timeout_ms

Wait time, in milliseconds, that the DSEFS server waits during shutdown before
closing all pending
connections.

Default: commented out (2147483647)

compression_frame_max_size

The maximum accepted size of a compression frame defined during file upload.

Default: commented out (1048576)

query_cache_size

Maximum number of elements in a single DSEFS Server query cache.

Default: commented out (2048)

query_cache_expire_after_ms

The time to retain the DSEFS Server query cache element in cache. The cache element
expires when this time is exceeded.

Default: commented out (2000)

gossip options

Options to configure DSEFS gossip rounds.

round_delay_ms

The delay, in milliseconds, between gossip rounds.

Default: commented out (2000)

startup_delay_ms

The delay time, in milliseconds, between registering the location and reading back
all other locations from the database.

Default: commented out (5000)

shutdown_delay_ms

The delay time, in milliseconds, between announcing shutdown and shutting down the
node.

Default: commented out (30000)

rest_options

Options to configure DSEFS rest times.

request_timeout_ms

The time, in milliseconds, that the client waits for a response that corresponds to
a given request.

Default: commented out (330000)

connection_open_timeout_ms

The time, in milliseconds, that the client waits to establish a new connection.

Default: commented out (55000)

client_close_timeout_ms

The time, in milliseconds, that the client waits for pending transfer to complete
before closing a connection.

Default: commented out (60000)

server_request_timeout_ms

The time, in milliseconds, to wait for the server rest call to complete.

Default: commented out (300000)

idle_connection_timeout_ms

The time, in milliseconds, for RestClient to wait before closing an idle connection.
If RestClient does not close connection after timeout, the connection is closed after 2*idle_connection_timeout_ms.

time - wait time to close idle connection

0 - disable closing idle connections

Default: commented out (60000)

internode_idle_connection_timeout_ms

Wait time, in milliseconds, before closing idle internode connection. The internode
connections are primarily used to exchange data during replication. Do not set lower
than the default value for heavily utilized DSEFS
clusters.

Default: commented out (0) (disabled)

core_max_concurrent_connections_per_host

Maximum number of connections to a given host per single CPU core. DSEFS keeps a
connection pool for each CPU core.

Default: 120000

transaction_options

Options to configure DSEFS transaction times.

transaction_timeout_ms

Transaction run time, in milliseconds, before the transaction is considered for
timeout and rollback.

Default: 3000

conflict_retry_delay_ms

Wait time, in milliseconds, before retrying a transaction that was ended due to a
conflict. Default: 200

conflict_retry_count

The number of times to retry a transaction before giving up. Default: 40

execution_retry_delay_ms

Wait time, in milliseconds, before retrying a failed transaction payload execution.
Default: 1000

execution_retry_count

The number of payload execution retries before signaling the error to the
application. Default: 3

block_allocator_options

Controls how much additional data can be placed on the local coordinator before the
local node overflows to the other nodes. The trade-off is between data locality of
writes and balancing the cluster. A local node is preferred for a new block
allocation,
if:

Comma separated list of event categories that are captured, where the category
names are:

QUERY - Data retrieval events.

DML - (Data manipulation language) Data change events.

DDL - (Data definition language) Database schema change events.

DCL - (Data change language) Role and permission management events.

AUTH - (Authentication) Login and authorization related events.

ERROR - Failed requests.

UNKNOWN - Events where the category and type are both
UNKNOWN.

Event categories that are not listed are not captured.

Warning: Use
either included_categories or
excluded_categories but not both. When specifying included
categories leave excluded_categories blank or
commented out.

Default: none (include all categories)

excluded_categories

Comma separated list of categories to ignore, where the categories are:

QUERY - Data retrieval events.

DML - (Data manipulation language) Data change events.

DDL - (Data definition language) Database schema change events.

DCL - (Data change language) Role and permission management events.

AUTH - (Authentication) Login and authorization related events.

ERROR - Failed requests.

UNKNOWN - Events where the category and type are both
UNKNOWN.

Events in all other categories are logged.

Warning: Use either
included_categories or excluded_categories but
not both. When specifying excluded categories leave included_categories blank or commented
out.

Default: none (exclude no categories )

included_keyspaces

The keyspaces for which events are logged. Specify keyspace names in a comma
separated list or use a regular expression to filter on keyspace name.

Warning: DSE supports using either included_keyspaces or
excluded_keyspaces but not both. When specifying included
categories leave excluded_keyspaces blank or
comment it out.

Default: none (include all keyspaces)

excluded_keyspaces

Log events for all keyspaces which are not listed. Specify a comma separated list
keyspace names or use a regular expression to filter on keyspace name. Only use this
option if included_keyspaces is blank or commented
out.

Default: none (exclude no keyspaces)

included_roles

The roles for which events are logged. Log events for the listed roles. Specify
roles in a comma separated list.

Warning: DSE supports using either
included_roles or excluded_roles but not both.
When specifying included_roles leave excluded_keyspaces blank or comment it
out.

Default: none (include all roles)

excluded_roles

The roles for which events are not logged. Specify a comma separated list role
names. Only use this option if included_roles is blank or commented
out.

The amount of time, in hours, audit events are retained by supporting loggers. Only
the CassandraAuditWriter supports retention time.

0 - retain events forever

hours - the number of hours to retain audit events

Default: 0 (retain events forever)

cassandra_audit_writer_options

Audit writer options.

mode

The mode the writer runs in.

sync - A query is not executed until the audit event is successfully written.

async - Audit events are queued for writing to the audit table, but are not
necessarily logged before the query executes. A pool of writer threads consumes
the audit events from the queue, and writes them to the audit table in batch
queries.

Important: While async substantially improves performance
under load, if there is a failure between when a query is executed, and its
audit event is written to the table, the audit table might be missing entries
for queries that were executed.

Default: sync

batch_size

Available only when mode: async. Must be greater than 0.

The maximum number of
events the writer dequeues before writing them out to the table. If warnings in the
logs reveal that batches are too large, decrease this value or increase the value of
batch_size_warn_threshold_in_kb in
cassandra.yaml.

Default: 50

flush_time

Available only when mode: async.

The maximum amount of time in milliseconds before
an event is removed from the queue by a writer before being written out. This flush
time prevents events from waiting too long before being written to the table when
there are not a lot of queries happening.

Default: 500

queue_size

The size of the queue feeding the asynchronous audit log writer threads. When there
are more events being produced than the writers can write out, the queue fills up, and
newer queries are blocked until there is space on the queue. If a value of 0 is used,
the queue size is unbounded, which can lead to resource exhaustion under heavy query
load.

Default: 30000

write_consistency

The consistency level that is used to write audit events.

Default: QUORUM

dropped_event_log

The directory to store the log file that reports dropped events. When not set, the
default is
/var/log/cassandra/dropped_audit_events.log.

Default: commented out (/var/log/cassandra/dropped_audit_events.log)

day_partition_millis

The interval, in milliseconds, between changing nodes to spread audit log
information across multiple nodes. For example, to change the target node every 12
hours, specify 43200000 milliseconds. When not set, the default is 3600000 (1
hour).

Default: commented out (3600000) (1 hour)

DSE Tiered Storage options

Options to define one or more disk configurations for DSE
Tiered Storage. Specify multiple disk configurations as unnamed tiers by a
collection of paths that are defined in priority order, with the fastest storage media in
the top tier. With heterogeneous storage configurations across the cluster, specify each
disk configuration with config_name:config_settings,
and then use this configuration in CREATE TABLE or ALTER TABLE
statements.

Options to configure the smart movement of data across different types of storage
media so that data is matched to the most suitable drive type, according to the
performance and cost characteristics it requires

strategy1

The first disk configuration strategy. Create a strategy2, strategy3, and so on. In
this example, strategy1 is the configurable name of the tiered
storage configuration strategy.

tiers

The unnamed tiers in this section define a storage tier with the paths
and file paths that define the priority order.

The section of file paths that define the data directories for this
tier of the disk configuration. Typically list the fastest storage media first. These
paths are used only to store data that is configured to use tiered storage. These
paths are independent of any settings in the cassandra.yaml file.

- /filepath

The file paths that define the data directories for this tier of the disk
configuration.

The number of server acceptor threads. When not set, the default is the number of
available processors.

Default: commented out

server_worker_threads

The number of server worker threads. When not set, the default is the number of
available processors * 8.

Default: commented out

client_max_connections

The maximum number of client connections. When not set, the default is
100.

Default: commented out (100)

client_worker_threads

The number of client worker threads. When not set, the default is the number of
available processors * 8.

Default: commented out

handshake_timeout_seconds

Timeout for communication handshake process. When not set, the default is
10.

Default: commented out (10)

client_request_timeout_seconds

Timeout for non-query search requests like core creation and distributed deletes.
When not set, the default is
60.

Default: commented out (60)

DSE Multi-Instance server_id

server_id

In DSE Multi-Instance/etc/dse-nodeId/dse.yaml files, the
server_id option is generated to uniquely identify the physical
server on which multiple instances are running. The server_id
default value is the media access control address (MAC address) of the physical
server. You can change server_id when the MAC address is not
unique, such as a virtualized server where the host’s physical MAC is cloned.

The maximum number of parameters that can be passed on a graph query request for
TinkerPop drivers and drivers using the Cassandra native protocol. Passing very large
numbers of parameters on requests is an anti-pattern, because the script evaluation
time increases proportionally. DataStax recommends reducing the number of parameters
to speed up script compilation times. Before you increase this value, consider
alternate methods for parameterizing scripts, like passing a single map. If the graph
query request requires many arguments, pass a list.

The available communications port for Gremlin Server. When not set, the default is
8182.

Default: commented out (8182)

threadPoolWorker

The number of worker threads that handle non-blocking read and write (requests and
responses) on the Gremlin Server channel, including routing requests to the right
server operations, handling scheduled jobs on the server, and writing serialized
responses back to the client. When not set, the default is 2.

Default: commented out (2)

gremlinPool

The number of Gremlin threads available to execute actual scripts in a
ScriptEngine. This pool represents the workers available to handle blocking
operations in Gremlin Server.

0 - the value of the JVM property cassandra.available_processors, if that
property is set

When not set - the value of Runtime.getRuntime().availableProcessors()

Default: commented out (0)

scriptEngines

Section to configure gremlin server scripts.

gremlin-groovy

Section for gremlin-groovy scripts.

sandbox_enabled

Sandbox is enabled by default. To disable the gremlin groovy sandbox entirely, set
to false.

sandbox_rules

Section for sandbox rules.

whitelist_packages

List of packages, one package per line, to whitelist.

-package.name

Retain the hyphen before the fully qualified package name.

whitelist_types

List of types, one type per line, to whitelist.

-fully.qualified.type.name

Retain the hyphen before the fully qualified type name.

whitelist_supers

List of super classes, one class per line, to whitelist. Retain the hyphen before
the fully qualified class name.

-fully.qualified.class.name

Retain the hyphen before the fully qualified class name.

blacklist_packages

List of packages, one package per line, to blacklist.

-package.name

Retain the hyphen before the fully qualified package name.

blacklist_supers

List of super classes, one class per line, to blacklist. Retain the hyphen before
the fully qualified class name.